CVE-2025-65781
HIGH WAF: Medium
CVSS 8.2
Published: 2025-12-15
CWE-287 CWE-400
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Attachment upload API treats the Authorization bearer value as a userId and enters a non-terminating body-handling branch for any non-empty bearer token, enabling trivial application-layer DoS and latent identity-spoofing.
WAF Coverage Analysis
Improper Authentication
Low WAF Coverage
OWASP: A07:2021 Identification and Authentication Failures
Uncontrolled Resource Consumption
Medium WAF Coverage
OWASP: A05:2021 Security Misconfiguration
912xxx - DOS Protection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| wekan_project | wekan | up to 8.16 |
References
- github.com (Product)
- github.com (Release Notes)
- github.com (Patch)
- wekan.fi (Vendor Advisory)